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its legislation, to be compatible with the European Union Personal 
Data Protection regime. The work emphasized efforts of Georgia 





Keywords: on the path of developing its Personal Data Protection system. The 
Personal Data, many citizens of Georgia don’t even have a knowledge that their 
Data Transfer, Personal Data has to be defended. Although, the court practice of 
Association Agreement Georgia revealed good developing signs in this field. If before there 


were not any cases concerning personal data protection, today we 
have some good decisions regarding the personal data protection. 
The data transfer between the European Union and Georgia, is 
also implemented in the Association Agreement between the Euro- 
pean Union and Georgia. Here as well has to be mentioned that the 
Association Agreement was the greatest step for Georgia, it was 
the great opportunity to harmonize Georgian Personal Data system 
with a European. Step by step, Georgia is straining to become a 
member of the European Union. Thus, this work is a look through 
past and future of Georgian and EU relations in the field of Personal 
Data system. 
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INTRODUCTION 


Modern reality is impossible to imagine without 
an internet. Internet commenced to be the part of 
our daily life. We created on the Internet our virtual 
reality and every day we share some kind of per- 
sonal information in there. Even in case, when you 
buy the things online, or making flight reservations, 
during this time you share with the controllers your 
own personal data. These personal data can be 
many kinds of, likewise, name, age, bank card de- 
tails, gender and other important minutiae which are 
valuable traits of your personality. But do we really 
need to protect this personal data? 

Answers on this question are the conventions, 
regulations and directives adopted by the United 
Nations and the European Union, which are con- 
stantly here for the defence of the personal data. 
The first ever document which mentioned the im- 
portance of the private realm, was the UDHR in the 
Article 12. Next step in this field was adoption of 
The International Covenant on Civil and Political 
Rights (ICCPR), it declares that no one’s privacy, 
home, correspondence, honour and reputation may 
be subjected to arbitrary and unlawful interference. 
After the enhance role and improvement of the 
modern technologies, also to revelations on mass 
surveillance handle in some states, since 2013 the 
United Nations promptly adopted two resolutions. 
Those regulations were emphasized the negative 
effects of the mass surveillance, though resolu- 
tions adopted in 2016 and 2017 made novel points, 
meticulously about the diminishing of the powers 
of intelligence agencies and denouncing of mass 
surveillance. The robust part of those resolutions 
is that they reaffirm responsibility of state authori- 
ties, moreover they indicate private sector’s liability 
to respect Human Rights, companies are obliged to 
inform consumers about the gathering, usage, shar- 
ing and retention of personal data and to set forth 
transparency. In case of the European Union, firstly 
the Charter of Fundamental Rights in the Article 8 
implemented the right to personal data protection, 
in addition it also sorted out the core values asso- 
ciated with the mentioned right. Take note that be- 
fore the development of computers and internet and 
the rise of the information society, ECHR adopted 
the aforementioned Article 8. 1960s brought broad 
changes in technologies, therefore here was the 


demand for more detailed rules to protect individu- 
al’s personal data. Thus, in 1981, a Convention for 
the protection of individuals with regard to automat- 
ic processing of personal data (Convention 108), 
was created. The main aim of the given convention 
is to defend and regulate transborder flows of per- 
sonal data. Till the adoption of the main document 
for the defence of personal data, the legal tool on 
data protection was Directive 95/46/EC, which was 
adopted by the European Parliament and the Coun- 
cil on 24 October of 1995. The mentioned Directive 
implemented the protection and the free movement 
of personal data of the individuals with regard to the 
processing of personal data. In 2016 EU adopted 
the modernized data protection legislation, also 
named as the General Data Protection Regulation 
(GDPR). This regulation is the best fit for the mod- 
ern economic and social challenges, in context of 
protecting fundamental rights. The interesting part 
is that what’s happening with personal data protec- 
tion in the neighboring countries of EU, in our case 
in Georgia.‘ 

In 2014 Georgia signed Association Agreement 
? for becoming a member of the European Union. As 
Georgia is one of the Eastern Partnership states, it 
took a liability to comply with data privacy require- 
ments. The main objective of Georgia is the harmo- 
nize its own legislation with the European standards, 
specifically regarding the users’ rights, defence 
along with encouraging e-government initiatives, to 
implement personal data security and support their 
active usage between business, governments and 
citizens.* Therefore, the main hypothesis of the giv- 
en research is to find out if Georgian regime of Per- 
sonal Data Protection is compatible with EU regime, 
also to investigate if there are the issues concerning 
the data transfer from EU to Georgia. 
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PERSONAL DATA PROTECTION 
IN EU 


After the Second World War, the protection of 
privacy commenced to be one of the most import- 
ant tasks in the realm of Human Rights, thus it was 
implemented in several regulatory texts, at the Eu- 
ropean level. The disaster and misdeed of the men- 
tioned period of history, disclosed what can hap- 
pen when large databases of personal data were 
utilized for the segregation of population, meticu- 
lously of the targeted minority groups, also it was a 
way to ease the genocide. It was an example how 
menacing public invasion could be into the private 
realm. 4 For not repeating the history, EU has ad- 
opted several Directives. Though, nowadays the 
biggest instrument for the defence of the personal 
data in EU is the General Data Protection Regula- 
tion (GDPR). This is an impressive tool that has to 
be discussed in this research paper. The General 
Data Protection Regulation (GDPR) contrasted to 
its predecessors, accurately puts more points on in- 
dividual control over personal data. New principles 
which are embedded in the given regulation rein- 
force individuals in obtaining more control over their 
data. ° One of the key notions of data protection, 
which determines the material scope of the DPD 
and the GDPR is “Personal data’. Data protection 
principles, rights and obligations, which are imple- 
mented in Article 3(1) of DPD and Article 2(1) of 
GDPR applies solely then, when personal data is 
processed. Pursuant to GDPR “Personal Data’ is: 
“any information relating to an identified or identifi- 
able natural person (‘data subject’); an identifiable 
natural person is one who can be identified, directly 
or indirectly, in particular by reference to an identi- 
fier such as a name, an identification number, lo- 
cation data, an online identifier or to one or more 
factors specific to the physical, physiological, genet- 
ic, mental, economic, cultural or social identity of 
that natural person.”® Anonymous data has contrary 
characteristic to personal data, it mostly rendered 
in a way that information is not identifiable or does 
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not identifies a person, or personal data. Process- 
ing anonymous data did not fall under the realm of 
data protection law. Pseudonymous data acquires 
the traits of personal data after pseudonymisation, 
with this way it is plausible to identify person, and as 
a result it falls under the realm of the data protec- 
tion law.’ The resulting definition of personal data is 
broad, flexible, and adaptable to technological con- 
text.2 To get through more precisely in the notion 
of “Personal Data’, here has to be mentioned the 
court case named as Lindqvist, which took place in 
2014. After this case, focus instead of comprehen- 
sive definition, was put on the big lines. There were 
other cases which provided more depth analyze of 
the particular elements of “Personal Data’. Those 
cases were Breyer, YS and others and Nowak.? 

The earlier regulation on protection of personal 
data were not that explicit about the need for indi- 
vidual control, though the GDPR is not reluctant to 
this. Actually, fortifying individual control was one of 
the main objectives of the EU legislator. Despite the 
fact that the GDPR pays great amount of attention 
to data subjects “control, behavioral scientists criti- 
cized it for not being able to address threats appro- 
priately. With the swift development of intrusive dig- 
ital technologies and algorithmic decision-making, 
the challenges for control over data become more 
complex. Therefore, there are apparent threats re- 
lated to individual control. '° 

European data protection law implements in- 
dependent supervision as one the most significant 
component. Case law also highlighted importance 
of independent supervision. Especially, in the case 
named as Schrems. EU law, specifically the Gener- 
al Data Protection Regulation recognizes free flow 
of data among European Union states. Despite this, 
the General Data Protection Regulation conveys 
specific requirements affiliated with personal data 
transfers to third countries. This means to transfer 
data outside the European Union and to other in- 
ternational organisations. The Regulation mentions 
significance of this kind of data transfer in interna- 





7 N. Purtova, The law of everything. Broad concept of 
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tional trade and cooperation sphere, though it ad- 
mits risks during the transfer of personal data. As a 
result, the General Data Protection Regulation pro- 
vides the same amount of defence to personal data 
which was transferred to third countries as they 
harness within the EU. Data transfer is feasible if it 
complies with the articles written down in Chapter 
V of the General Data Protection Regulation. Un- 
der EU law, the flow of personal data must be free 
from any kind of restrictions or prohibitions through- 
out the EU and among Contracting Parties. In case 
of data transfer to third countries and to organisa- 
tions, EU law set out some specific conditions. EU 
law implements two ways of approving data transfer 
to third countries and to organisations. First way is 
an adequacy decision made by the European Com- 
mission. This way of data transfer is implemented 
in Article 45 of the General Data Protection Reg- 
ulation." Before making an adequacy decision, 
there are several points which are analyzed by the 
European Commission. Firstly, the European Com- 
mission examines the national law and appropriate 
international obligations, next if country participates 
in regional and multilateral systems, meticulously 
regarding the data protection. Also, the European 
Commission can check other conditions on case 
basis. If all the conditions were met, then the Eu- 
ropean Commission issues an adequacy decision. 
The adequacy decision has binding effect. In case 
of absence of European Commission adequacy 
decision, the controller or processor has to convey 
appropriate defence, which includes legal remedies 
and enforceable rights for the data subject. There 
are several applicable safeguards, which can be 
established by: a legally binding and enforceable 
instrument between public authorities or bodies; 
binding corporate rules; standard data protection 
clauses adopted either by the European Commis- 
sion or by a supervisory authority; codes of conduct; 
or certification mechanisms. The General Data Pro- 
tection Regulations also notes other appropriate 
safeguards, those are the data receiver in a third 
country and contractual clauses among the control- 
ler or processor in the European Union. GDPR in 
Article 47 highlights personal data transfer based 
on mandatory corporate rules, which appears with- 
in the same group enterprises or a joint economic 
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activity.’ Moreover, the General Data Protection 
Regulation includes rule to transfer personal data 
with third country for specific purposes based on an 
international agreement. Although, there is written 
down some special rules for the cushion of personal 
data during the mentioned situation. " 


PERSONAL DATA PROTECTION 
IN GEORGIA 


Georgia its first law on personal data protection 
enacted only in 2011. Until this period here was not 
a lex specialis \egislation on personal data protec- 
tion. The Constituion of Georgia implements regular 
rule about private life. Pursuant to the Constitution 
here has to be person’s consent to access its per- 
sonal information."* Neither Civil Code of Georgia, 
nor General Administrative Code of Georgia, had 
any specific rules about the personal data protec- 
tion. Specific approach to data protection was pos- 
sible to found solely in laws, likewise, Tax Code of 
Georgia, Decree of National Commission of Com- 
munications of Georgia on Provision of Services 
and Protection of Consumers’ Rights in the Sphere 
of Electronic Communications and others. Despite 
this, those decrees and laws were working in a 
narrow field and regulated solely those spheres for 
what they were enacted. 

As it was mentioned above, Georgia in 2011 ad- 
opted law on protection of personal data. Pursuant 
to Neighborhood Policy Action Plan Georgia, coun- 
try took liability to implement the Convention for the 
Protection of Individuals with regard to Automatic 
Processing of Personal Data. Therefore, Georgia 
took a great responsibility to at least adopt the law 
which could protect the person’s personal data. 
Law of Georgia on Personal Data Protection was 
adopted by Parliament of Georgia on December 28, 
2011. The main objective of the law is to defend the 
right of privacy in bond with processing personal 
data. The law provides some “general principles of 
personal data processing’, likewise, lawfulness and 
fairness. According to it the person whose data has 
to be processed shall be notified about this. The 
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“Data Subject’ includes number of rights, and per- 
son’s consent for processing his personal data, is 
obligatory. In Article 3 of the law of Georgia on Per- 
sonal Data Protection’® are mentioned some restric- 
tions, when existed law cannot be applied. Some 
of them are quite vague, meticulously it is hard to 
comprehend why the aforementioned law cannot be 
applied for some specific situations. 

The main strength of the law of Georgia on 
Personal Data Protection is that it implemented a 
new institute, named as Personal Data Protection 
Inspector. The Personal Data Protection Inspector 
is responsible for the lawfulness of data processing. 
The Personal Data Protection Inspector is elected 
based on an open competition that is enacted by the 
law. The Premier Minister of Georgia has to approve 
the Competition Commission. The representative of 
NGO, government of Georgia, Judiciary and Public 
Defender’s Office and government of Georgia par- 
ticipates in the Competition Commission. This was 
the main novelty made by the law of Georgia on 
Personal Data Protection. *® 

In the end of 2013 Personal Data Protection 
Inspector of Georgia was finally established. The 
competences of Personal Data Protection Inspector 
contains consulting organisations on matters affil- 
iated with data defence, managing audits of data 
controllers, addressing citizen investigations and 
growing utter level of knowledge regarding infor- 
mation security. The role of Personal Data Protec- 
tion Inspector increments on daily basis in Georgia. 
Therefore, the given research paper will discuss in- 
quires of Personal Data Protector Inspector during 
performance of its duties. As they investigated, by 
a decade in Georgia, adaptation of data defence 
standards and regulations preceded the implemen- 
tation of electronic systems in administrative bod- 
ies. The law of Personal Data Protection requires 
to preserve detailed records of all manipulation 
when it comes to the electronically processed per- 
sonal information. This precludes Personal Data 
Protection Inspectorate from officially obliged state 
entities to realize aforementioned mechanism. The 
automatic logging mechanism in databases includ- 
ing nationals’ personal data is highly monitored and 





15 Law of Georgia on Personal Data Protection, Art. 3 

16 B. Jalagania, Regulatory Framework for Personal 
Data Protection in Georgia and its accordance with EU 
regulations; University of Oslo, 2013; pp. 25-29. 


carried out in practice by Personal Data Protection 
Inspectorate. The lack of automated audit trace 
conveys opportunity to punish controller, even with- 
out of data revelation and mishandling. Every Data 
Protection Inspector Office has their filling system 
catalogues, which is an electronic document. This 
document includes the list of data categories pro- 
cessed by per data controller in Georgia. The men- 
tioned electronic document is filled by controller’s 
authorities and database inscription is there as well. 
One of the most significant liabilities of Personal 
Data Protection Inspector Office is to be the medi- 
ator among data controller authorities and citizens, 
with this way it is representing the interests of data 
subjects. Pursuant to Personal Data Protection In- 
spector’s office the number of citizens inquires has 
incremented during the past couple of years for at 
least five times.'’ Seeing this, it is clear that Per- 
sonal Data Protection is a novelty in the Georgian 
legislation. Despite this fact, the law implemented 
a robust instrument as the Personal Data Protec- 
tion Inspector, whose performance harnesses the 
valuable assist in newly established system of per- 
sonal data protection in Georgia. There was con- 
ducted the survey about users’ comprehension of 
data safety in Georgia. The survey distinguished 
different results. Though, finally it can be summa- 
rized that considerable number of citizens are ready 
to be adopted to e-services, but the other part of the 
users still inclined to remain limited because of their 
anxiety concerning the data security in the society. 


COMPATIBILITY OF TWO 
REGIMES AND TRANSFER 
OF DATA 


In 2014 Georgia officially proclaimed it’s willing 
to be the member of the European Union. After the 
signing the Association Agreement, Georgia took 
a liability to harmonize its legislation with an Euro- 
pean standards. This concerns specifically, user’s 
rights, defence and security of personal data togeth- 
er with encouraging e-government initiatives and 
allying for their active usage among governments, 
citizens, and businesses. Georgia made great effort 
to be compatible with the European Union regime, 
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though still there are plenty of issues that have to be 
tackled. To reach the objectives Georgia is obliged 
to make robust steps in protection of personal data 
and its security. Georgia has to make amendments 
in the field of data controllers. Controllers should be 
liable to present a scripted policy on data security 
or foster the access control mechanisms. With the 
mentioned way Georgian legislation will be more 
compatible with the European Union regime. More- 
over, throughout the whole public sector, Georgia 
has to assure homogeneity of personal data de- 
fence. It has to enhance interoperability and to es- 
tablish protected data exchange channels among 
governmental entities to guarantee safe circulation 
of citizens’ data. Country is obliged to train and de- 
velop work ethics of the public workers in the realm 
of citizens’ personal data privacy, also their activities 
have to be monitored within personal databases. 
The citizens should have opportunity for direct and 
plausible monitoring how meticulously their per- 
sonal data was processed. Georgia is liable for ac- 
tive campaign in the field of citizens’ knowledge on 
matters pertained personal data processing."® Also, 
here should be noted that Georgia amends its law 
on the Personal Data Protection and in the nearest 
future there will be consolidated version of this law. 
In case of data transfer, the Georgian legisla- 
tion is not providing any defined method of data 
exchange. The law of Georgia on Personal Data 
Protection claims that the transmitted data must be 
defeneded from illegal disclosure oblivious of the 
employ. The aforementioned conveys entities dis- 
cretion to accept solely secure ways of data shar- 
ing. In practice there were used mostly two ways of 
data transfer. Ordinary, state entities issues written 
inquires, where legal basis of request is indicated, 
after this organizations hand out citizens’ personal 
data. '? This emphasized the personal data trans- 
fer system on local basis. Although, here arises 
the question, is there any obstacles concerning 
cross-border data transfer from EU to Georgia? 
The European Union’s special rules and reg- 
ulations about data transfer on third countries 
and organisations, which are implemented in 
the General Data Protection Regulation already, 
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were discussed above. Georgian legislation also 
recognizes cross-border data transfer. It means 
that state or international organization can trans- 
fer data to the receiver which is not in the realm 
of Georgian jurisdiction. The law admits several 
rules that implements possibility of data transfer 
to another state or international organization. Pur- 
suant to it, the law of Georgia on Personal Data 
Protection covers some grounds in this field and 
if there are applicable safeguards for the defence 
of data and data subjects by the international or- 
ganization or the state then the data transfer is 
plausible. Another way is the international treaty 
or agreement, which provides the plausibility of 
data transfer. The last point is that data controller 
has to provide applicable assurance for defence 
of data and data subjects’ rights on the ground of 
an agreement signed among a data controller and 
the corresponding state, a natural or legal person 
of that given state or the international organiza- 
tion. Those are the rules that applied in case of 
cross-border transfer. *°Though, to answer on the 
aforementioned question, this work has to look into 
the Association Agreement between the European 
Union and Georgia. Article 188 of the given docu- 
ment regulates data processing and there is writ- 
ten down that data transfer is permissible between 
EU states and Georgia, there are not any obsta- 
cles, instead of this that both parties are obliged 
to “adopt adequate safeguards for the protection 
of privacy and fundamental rights, and freedom of 
individuals, in particular with regard to the transfer 
of personal data.” 21 





20 State Inspector’s Service: https://personaldata.ge/en/cross- 
border-data-transfer 
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and the European Atomic Energy Community and their 
Member States of the one part and Georgia; Art.118. 
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